Posted
by
samzenpus
on Wednesday May 01, 2013 @10:11PM
from the get-your-own dept.

Lucas123 writes "Half of all employers will require workers to supply their own mobile devices for work purposes by 2017, according to a new Gartner study. Enterprises that offer only corporately-owned smartphones or stipends to buy your own will soon become the exception to the rule in the next few years. As enterprise BYOD programs proliferate, 38% of companies expect to stop providing devices to workers by 2016 and let them use their own, according to a global survey of CIOs by Gartner. At the same time, security remains the top BYOD concern. 'What happens if you buy a device for an employee and they leave the job a month later? How are you going to settle up? Better to keep it simple. The employee owns the device, and the company helps to cover usage costs,' said David Willis, a distinguished analyst at Gartner."

Yeah, there's software [mobileiron.com] out there to do exactly that, that a lot of employers (I'm in the network security field) already require to be installed if you want to connect to work resources.

I see the future of BYOD being running another OS instance for the work apps, or possibly a separate easily switched profile with encrypted storage. One of the biggest hurdles right now with iOS and BYOD is that the end user can easily recover the wiped data from their last icloud backup. There are similar concerns with personal Dropbox accounts, how do you regain control of your corporate data once it's on an account that the user controls? There are solutions to the problem like windows rights management server (DRM for corporate documents) but they don't tend to play well with machines that aren't part of the central infrastructure, and are especially poor at support non-PC platforms.

I have a separate hard drive on my personal computer to boot from when I work from home, and I would love to be able to seamlessly use my phone to connect to work as well. Given the choice between my employer's giving me a non-android device (Given that my current phone is android based) and my bringing my own device, I would much rather bring my own device.

I have a separate hard drive on my personal computer to boot from when I work from home, and I would love to be able to seamlessly use my phone to connect to work as well. Given the choice between my employer's giving me a non-android device (Given that my current phone is android based) and my bringing my own device, I would much rather bring my own device.

Would you have that same feeling if your employer insisted on being able to monitor your calls, texts, data and other uses of your personal phone plus have the capabilities to wipe it? That is what the OP is saying his company does.

Yes, and VMWare ready for Android devices, and the user profiles from Android 4.2 refined, and the encrypted partition and app space from Good, and a whole host of other existing solutions, but if BYOD is going to become pervasive it's going to need to be built in at the system level and be easy to manage (I have to give RIM credit, balance does a pretty good job of meeting all these needs, it's just a second tier platform at this point).

I expect to get the living hell modded out of me when I say the iPhone has been a secure platform for BYOD for awhile now (I don't remember if it's the 3GS or 4 where security was tightened up). Besides the Configurator, something as humble as ActiveSync can manage them. Same goes for many of the latest Android devices. The point is it's easy to natively get strong security on a mobile device. How good it meets your needs depends on your needs.

Yeah, exactly. I'm on Android, and within the last year our standard connection to our work Exchange server required me to accept some basic management settings (remote wiping included) just to be able to pull my mail down, no extra software needed.

Yeah, exactly. I'm on Android, and within the last year our standard connection to our work Exchange server required me to accept some basic management settings (remote wiping included) just to be able to pull my mail down, no extra software needed.

You shouldn't have signed away your rights like that. Maybe you are comfortable giving your employer access to all the data on your phone, including photos, passwords and everything else. Most people probably would think the pictures you took in Vegas aren't any of your employer's business. Out of curiousity, if you change those basic management settings, does your email still work? If not, then something more than just settings was done to your phone, maybe software was installed remotely?

Personally, if my employer feels I need access to email or to be reached 24/7, it is their responsibility to provide the means for that. They do not have the right to takeover my personal property or data just because I work there. Put differently, if there is a business reason for them needing me to receive emails/texts/calls outside of normal working hours, then they should provide a business solution. If I want to do it for my own convenience on my own device, well, then I would have to weigh the convenience against all the privacy issues involved.

I'm right there with you. As one of the security people involved with implementing BYOD (though somewhat peripherally) at my last job, I opted to keep the Blackberry issued to me rather than attach my phone to the enterprise network even though I had admin access to the system. Many people thought I was nuts, but I draw a fairly clear line between work and personal life. Knowing what can be monitored, I opted to maintain that line.

I think that might be one of the things people don't realize, even if they read what the company should be supplying. The mobile device security industry is changing rapidly with hooks going much deeper than they used to. One product that we looked at (but didn't implement) allowed not only monitoring of call logs but copied all text and MMS messages to or from the device up to the server for archiving, something I viewed as far too invasive for BYOD. Even if it was deleted immediately from the device, the software grabbed it and copied it up (or archived it for copying if data wasn't available). But with companies clambering over each other for features, I'm sure it wasn't long before others added it to their own lists.

Personally, if my employer feels I need access to email or to be reached 24/7, it is their responsibility to provide the means for that. They do not have the right to takeover my personal property or data just because I work there. Put differently, if there is a business reason for them needing me to receive emails/texts/calls outside of normal working hours, then they should provide a business solution. If I want to do it for my own convenience on my own device, well, then I would have to weigh the convenience against all the privacy issues involved.

This.

I just tried to argue this same point where I work; I work in an IT group that has a rotating 24x7 on call. We had employer-issued Blackberries, which both received SMS messages and could connect to email.

Since we had had them for a while, the SMS alerts over time had evolved to "X has failed. Check your email for details."

Then the company forced us to turn in our Blackberries and went to a BYOD. I tried, unsuccessfully, to argue your point. I get spotty coverage on my personal phone, and none in the building, so that would rule out my personal device. Plus I refuse to allow the company control of my device, stipend or no.

The alternative was to accept a "penny phone" (a Samsung Chronos 2). I was very clear with my boss and boss' boss what that could mean for response to pages. So far, nothing has come up, but I also am kind of heistant to stray far from home when I am on call.

You are in a win-win situation. They can only monitor when the sms went out. If you aren't in range, you can't be held accountable for not receiving it. Since it is your phone and your personal property, they can't even ask to see the phone to check the logs. So, if a message comes in and you don't want to go, well, you never received it, did you? (Of course, it would be helpful if your concerns had been documented in writing)

I'm as big a fan of the iPhone as anyone, but the tools you mention don't work for BYOD. They're great for company owned and managed devices. But it's not "Your Own Device" if you're letting someone else control it with those profiles or activesync connections. If I've paid for hardware with my own money, it's mine... period, full stop. No one else gets admin, root, remote-wipe, find my iPhone, or whatever privileges but me.

I'd allow a company-controlled encrypted partition or something. But *I* retain control of *my* device as a whole. Apple's tools don't yet allow such a solution.

That's exactly the point, and that's how it's being sold. From my companies boss, he wants to give everybody a stipend for "a device" load up Citrix and said lockdown for company days, then let them do whatever they want.

So basically his version of BYOD is letting you use "any"device but the company is still going to tell YOU what to do with it. Extend that to the cheap-ass employers that will just expect you to bring your OWN PAID FOR device in and bastard IT people that wipe YOUR data whenever the boss says.

It's a whole "bag of hurt" for legal reasons as well. Jailbreaking, personal medical or legal data, not to mention music or media (and porn) all being carried around the workplace all day. It's an HR nightmare! I have just enough ODD to put clopping fan service as a screensaver just to piss one of those chea ass bosses off.

I'm as big a fan of the iPhone as anyone, but the tools you mention don't work for BYOD.

What you aren't getting is that "Bring Your Own Device" really just means "Pay For The Company's Device."

The company treats it like they own it. They get admin access. They lock the user from setting preferences (like screen lock settings, etc). They wipe it if they decide they don't need you any longer. They specify what kind of device you can bring.

Basically you're buying a device, then leasing it free of charge to the company for the duration of your employment. You get it back when you quit.

I'm as big a fan of the iPhone as anyone, but the tools you mention don't work for BYOD.

What you aren't getting is that "Bring Your Own Device" really just means "Pay For The Company's Device."

The company treats it like they own it. They get admin access. They lock the user from setting preferences (like screen lock settings, etc). They wipe it if they decide they don't need you any longer. They specify what kind of device you can bring.

Basically you're buying a device, then leasing it free of charge to the company for the duration of your employment. You get it back when you quit.

I already commented or I would mod you up, but that is exactly what is going on. If a company has a business reason that you need access to mail and other company resources 24/7 then they should provide the device. If there is no business reason for it, then why would anybody voluntarily want to do this and trade away their privacy to boot?

I expect to get the living hell modded out of me when I say the iPhone has been a secure platform for BYOD for awhile now (I don't remember if it's the 3GS or 4 where security was tightened up). Besides the Configurator, something as humble as ActiveSync can manage them. Same goes for many of the latest Android devices. The point is it's easy to natively get strong security on a mobile device. How good it meets your needs depends on your needs.

If you let company admin access to lock and wipe your device, control what apps you install and use - like fx very insecure data-syncing services like icloud/dropbox, etc. then it is not really your personal BYOD device anymore, it is a company device. If you don't have this, the device is not company secure (it doesn't help enforcing local device encryption and password policies to prevent access to company data if you are leaking same company data to highly insecure consumer cloud services or in other ways setting up and using your phone in an insecure way).

As several others have said on the thread already, the answer for BYOD security is that the phone needs to be running a controlled separate/virtual environment for the company that is completely walled off from the personal part of your phone.

Only works if they all run Windows, and the backup software from the phone to laptop to server runs the software taken from the phone, or the process of backuping up the phone (and subsequently the server) can trigger an exploit in the host OS to do so. In a heterogenous environment - e.g. ARM devices to x86 devices as is nearly all Android and all iOS devices - that would be very, very hard to do. In a homogenous environment - e.g. Windows Phone, Windows OS, - it would have some tricks, but it would be within reason of possibilty.

Actually it could be much simpler than that. Supposed it wipes your phone, but leaves a bit of code on the phone so the next time you go to sync, it checks itself and if the flag was set to wipe the phone, it then wipes the synced files or hard drive instead. There is already a product that does exactly that on the market.

Still, a company could have quite the legal risk if they did that...so it wouldn't be worth it to most companies for that reason alone. The company could, for instance, be in violation of the CFAA, among other things, for doing that. It would have similar consequences to the HP hacking scandal a few years back.

They wouldn't have any legal risk if you signed an agreement that allowed them to do so. Could be in your employment papers, or employee manual or any number of other places that if you d

>> there's software out there to (monitor communications or wipe my own device)

My current employer has a BYOD policy and software for this. My solution: never use a personal device for work purposes, especially never company email. Instead, I use a company-resident mail forwarding application to read my company email and to send alerts to a personal email address if it finds something that looks interesting enough and I've been out of the office long enough (e.g., more than a day). If I do get such

I'm perfectly happy having corporate e-mail on a phone I pay for 100%, but I refuse to allow anyone to have control over my phone but me. My company encourages e-mail on our personal phones but require stock firmware, non-rooted, the ability to remote wipe, and the ability to change security settings on my phone. I'm fine if there is a requirement that I have remote wipe ability but I should be the only one in control of it. And telling me that I can't run alternitive firmware due to "security concerns" is

If it's my device that I paid for, I *don't* want to connect to work resources. Fuck that. My device, my number, none of your business.

Yup, agreed.

And there are plenty of at-will employers that will respond with "You're fired. Fuck you. My company. My rules. None of your business as to why I fired you. Bye."

One can be firm in a stance, but one might find themselves standing alone.

Actually, they won't do that because it is a lawsuit waiting to happen. It's discrimination to only retain employees who have their own smartphone. If an employee doesn't have means to pay for a smartphone, the company needs to provide a basic one for them OR a stipend able to cover the entire cost of one for the functionality necessary for company work.

This is very similar to only hiring employees with cars: You can't legally get away with that for most jobs; instead they can only expect employees to ha

Samsung is already working on [anandtech.com] a solution [businessinsider.com] to that [samsung.com]. Basically, instead of your employer having full run of the phone, all the employer stuff is put into a sandboxed instance of the OS. Your personal phone runs into another sandboxed instance. Like having two virtual machines running simultaneously, you can flip between the two. Your employer has full control over one, and you have full control over the other.

I'm a little skeptical of how well it'll work in practice (backups will probably be problematic). But if they can pull it off, it will eliminate the need to carry two phones just because your workplace wants full access and control.

"I wouldn't worry about it. This will never happen at any company that has any concern about security."

Besides that: if they want me to use my own hardware, they can damned well pay me for it.

I'm not going to erase (or endanger!) my personal software and files for the purpose of someone else's company, and as far as I am concerned, equipment works the same as simply showing up. That is: if they want me to be there, they can pay me for the time I am there. If they want the use of my equipment, they can pay for the use of it. Or they can buy their own. They aren't going to get it both ways.

To answer the question in your subject, the company owns the company data and you own your data. Unfortunately, on most devices without a third party solution your personal data is wiped along with the company's. The capabilities of Mobile Device Management software are very intrusive.

At my company there is a lot of internal chatter about BYOD, along with the security concerns (especially in terms of IP).

My stance: Just say no to BYOD. If my company deems it necessary for me to use a portable electronic device to perform my job, then either:a) They supply it, and it remains company property, orb) There is no option b

Option b) is that it's my device and all that entails, I control it, not them. No different than my car, if I leave the company it's still mine. If something belonging to them is in the trunk, they can politely ask that it be returned, but they don't get a set of keys, or have permission to enter it.

If they don't like these terms, well... then its back to your option "a)"

BYOD is no different than using a personal car, or a breifcase, and having company documents in either.

BYOD is no different than using a personal car, or a breifcase, and having company documents in either.

It's very different. There are regulations about how different classifications of data can be moved around and stored. You can have things on your phone that you can't have in a briefcase in your car. And there is more opportunity for a phone to be lost or stolen.

There are regulations about how different classifications of data can be moved around and stored.

Employers that follow those regulations/classifications probably won't require (or even allow) BYOD, so I would agree with vux984 that they aren't really different from other methods of taking company data off-site.

any company that allows confidential or classified data on a personal device is looking for a lawsuit by someone, and prohibits it if they are smart.

...without compensating security controls, yes I'd agree. Even so, confidential data has many different classifications - most companies consider all work email to be confidential, but far fewer require VPN or physical network access to be able to retrieve that email. Other work resources, however, often *do* require additional security when attempting to acces

And unless the company dictates that I have to own and drive X vehicle with Y specifications, or carry P briefcase with Q specifications, they better be ready to accept that I may show up to work on a bicycle with work documents rolled up in an opening in the frame.

What is much more likely is that in 2017 companies will develop a preference for independent contractors who show up (perhaps virtually from their living room in their PJs) to perform work on specific projects rather than full time staff that has

You make use of Android's "multiuser" feature. Work is one user, your personal life is the other. Android guarantees there is a 100% opaque firewall between the two users, so if work sends an "erase phone" command it erases their user, not the phone.

This pretty much solves the privacy and control aspects. The remaining downside is work still expects you to pay for tools to do the job they ask of you. But hey, at least you only have to carry one device.

They had better give me a stipend to buy my own machine, then, because I'm only going to use it for working with their company. In fact, it will never leave the office. No way in HELL are they going to be able to lay a claim on my personal equipment just because they want to lower their parts and labor costs.

Employees need to get over it, and understand that a second line is a blessing.

I work as a Corporate Store Manager for Bell in Canada, and 90% of my peers carry a single device, and use the same device for work and personal. Bell supplies the line, and they bully vendors into supplying the hardware. Of the 40 or so managers in town, and several hundred sales reps, every single one of use that has been around for longer than 3 months (policy change) carries a Bell supplied line.

Exactly. My company doesn't "technically" allow BYOD (though I imagine that enough pressure from users with the magic "Vice President" in their title will eventually change that), but even so I could totally use my phone. I have a work-provided device which uses ActiveSync, and nobody would ever really know I set my own phone up to receive company mail if I didn't tell them.

But fuck that. Using a separate device for work means that when I'm not on call or otherwise required to be available, I leave it at home and nobody can even attempt to reach me. My direct boss has my personal number for emergencies that might come up, but nobody else. I would never consider giving up the work/life separation that using two different devices affords. I work 40 hours a week, not 168.

A company paying $75 or so for monthly smartphone service pays for itself many times over in keeping employees tethered to the business and available for around-the-clock email and messaging. I expect companies will continue paying for service even for BYOD shops. If forcing employees to purchase a phone discourages them from using a phone for work then it will be a huge loss for companies.

A company paying $75 or so for monthly smartphone service pays for itself many times over in keeping employees tethered to the business and available for around-the-clock email and messaging. I expect companies will continue paying for service even for BYOD shops. If forcing employees to purchase a phone discourages them from using a phone for work then it will be a huge loss for companies.

This is how it works where I am (Fortune 500 technology company). The company pays all the service, including my personal calls and data use, and I pay for the phone. They negotiate shorter contract terms and lower up-front device costs. I get my choice of carriers and devices. They also negotiate discounted service pricing for my family.

The company does not wipe my entire device when I disconnect it from their system and remove their MDM, they just delete their content and leave everything else alone. They do enforce screen lock timeouts and require a PIN or password. They will wipe my device in its entirety if it's stolen.

This is a sane BYOD policy that balances the desire of the employees to have a choice in their electronic tether with their needs to secure their IP.

I don't want a smart phone. I choose not to use one - I only care to have a simple phone that does the bare minimum. If they want me to have a smart phone, they'd better provide it for me because I will not spend my own money for a device I choose not to have. Under Australian law (to which I am subject) I don't believe a company can force you to provide your own equipment.

Typically (in what I've seen in IT) they're not *forcing* people to bring their own devices, they're *allowing* them (or suggesting them) to do so. I highly doubt that a company that requires an employee to have a smart phone of some kind in their role would require them to use their own phone.

While your current company may not be able to force you, the situation changes if you are laid off.The next company you apply to could choose not to hire you because of your objection.

I choose not to use a cell phone at all, because of various reasons, the most important being that radiation kills brain cells. I find that some prospective employers don't want to hire me because of my objection, even though the work entails sitting at the same desk all the time.

If they fired me just because I didn't provide my own phone it would be wrongful dismissal. So no.. they could not lay me off me on that basis.
It helps that, as an academic, there is little about my job that would be improved with a smart phone. I feel I provide much better instruction talking to students face to face than through some app.

Not much of an issue for devops folks but a big issue in sales and marketing.I wonder if companies allow a sales phone number be switch to a competitor when the sales person switches jobs. This is what happens when Jane changes jobs.

Customer of company A calls Jane who has just gone to company B:Jane: "Hi Sam, I am glad you called. I now work for B and let me tell you how their product is much better for you..."

There are other jobs like customer support that have similar problems. In this case you want y

I wonder if companies allow a sales phone number be switch to a competitor when the sales person switches jobs.

If a company changes their procedures to allow employees to use their own phones instead of handing them out, they'll also change their procedures about phone numbers. My company simply uses internal numbers assigned to everyone (that they control), that we can forward to our personal phones if need be; this isn't an issue for companies already allowing BYOD.

I worked for a state office where the I.T. staff were all issued cell phones. They were issued because we had it set up to broadcast texts to us when something went wrong. A new administration comes in and the first thing they do is confiscate all cell phones.

I casually mention to our advance guy that all the notifications for server issues go out to said cell phones. We had them back the next day.

All of the mentioned restrictions only work if the phone is locked.
I refuse to sign a contract, or get a locked phone (at least that I pay for).
I have a N1 (never locked), and will probably upgrade before long to a new, never locked, phone. You don't need to unlock if it was never locked in the first place.
If my employer wants that control, they can pay for it.

I've saved the cost of my current phone with lower monthly bills. A single payment up front saves money in the end.
Freedom isn't free, but it doesn't have to cost a lot.

roaming costs? big plans can have good data rates your own not so much.

My previous company owned the phones and gave them out to individuals. Project Managers, who tended to stay at the office, got 1200 minutes, while technical staff, who tended to have to go out to client sites for two weeks at a stretch, got 500 minutes. I ended up going over a time or two, and was called in to explain myself. On those occasions, I discovered that the corporate plan that the company subscribed to cost about double what an individuals plan would cost with the same minutes. I guess AT&Ts

I don't know what your work does, but this is definitely starting to become common at many places. While I certainly don't want to relinquish admin control over my personal phone, I also like the the ability to remotely connect to work resources without needing to carry around two phones.

I remember talking with a very successful businessman a long time ago. He asked me if I knew the diference between a job and a career? I said no. He said, it's simple, in a career you get screwed out of your overtime.

Cellphones are one of the absolute most personal things ever created. Imagine if there's a legal dispute, and your company subpoena's your cellphone, or because you are using it for work, naturally asume they have the right to look at everything you've done. Oh, you're carefully protected friends list?, theirs. Your banking information?, theirs. Your pornography collection, (whether or not you've actually used it for such at work), theirs. Wife sends you a teasing pic during the day, which your forgot to delete, Manager looks at it, fired for sexual harassment.

In an ideal world, they wouldn't have access to anything on your phone, but the way things are going, anything used for work is considered fair game.

Should I be buying my own desk? My own chair? Hell, my cubicle walls are clearly my responsibility too, right?
If a company thinks an employee needs something for their job, then they should provide it.

Gartner is so incredibly wrong here. You can't control a plethora of devices connecting to your office network. In reality, you'll have to assume that all devices that connect to you are inherently evil and users using them will be snooped on and their logon credentials will get sniffed. This means you first have to "weaponize" every application you run on your IT infrastructure and make it available as a web service. You'll have to issue two-factor authentication that uses a dynamic element such as a challenge/response hardware key generator. Only when you have everything like that in place, you can "safely" start using BYOD in a corporate environment. By then, there is no more need for people to actually be in the office to do their work, apart from meetings. For meetings, you can always call in or video conference from home. Effectively, the only way to pay for this is to quit renting office space and go completely virtual. Because you no longer rent office space, renting a separate server room will cost you dearly and you'll need your admins to have office space close to that room, so you're still running a brick company. Going to "the cloud" will be more or less mandatory for such a company, from an economic view point. I don't see a significant amount of companies do all this within the next four years. I do see a lot trying to save a few bucks on the abysmal hardware budgets they already have and fail horribly at productivity and security and reverse their decisions, spending much more in the process and not gaining anything.

I didn't RTFA, but generally I'd assume that positions that require on-call access to an employee would provide a phone to those without their own phones, or who just refuse to use theirs for work. Our IT staff already has an on-call phone that's either given to the on-call person, or is forwarded to their personal cell phone if they don't want to lug two around.

It'll be in your contract/employee agreement. "The staff member is expected to make themselves available out-of-hours". Read it carefully.

But I agree with your point - the worst I've seen is when I was expected to be available out of hours but not getting paid for it. How come, I asked the boss. The on-call allowance is factored into your salary, he said.

Yeah, this happened to me once too. My boss was quite personally hurt when I handed in my letter of resignation AND rejected his counter offer to pay. My reasoning: 1. Never accept counter offers - this means that your employer is not paying you what you're really worth, and means that you'll always have to threaten to leave to get paid a fair amount. 2. Never accept counter offers - it's just a method for them to change the timing of when you leave to something more convenient to them.

If more people had the guts to trust in their own abilities, we would all be better off.

I've seen that same "never accept counter offers" reasoning before, and to some degree I agree with it, but that's assuming that the benefits of a job are entirely monetarily-based, which isn't a great way to look at employment. What if the employer giving you a counter offer is a smaller shop with less resources, but has a great work environment, your coworkers and boss are awesome, and the work you're doing is fun and interesting?

I've seen option 2: "Never accept counter offers - it's just a method for them to change the timing of when you leave to something more convenient to them" at least a dozen times in 20 years.

Unless the company really has been screwing you over or really dropped the ball- once you decide to go they feel betrayed (despite the fact they are planning to outsource your job in 18 months anyway). Sometimes even when they realize they were screwing you over, they STILL feel betrayed.

Remote phone management software already exists and is already being used at places where employees can use their own devices; that software (among other things) allows for remote data wiping in the event the phone is lost or an employee is let go.

Oh I know, but I can think of situations where it would not matter, such as the employee leaving on his own without warning, the user turning off the cell signal etc. If the phone is a business phone the same is possible, but traceable by the owner (business)

Yeah, totally, although that's not much different than someone just storing data from their work machine to a USB stick, and keeping that stick in their possession after leaving/getting fired. I assume ultimately those sorts of situations where companies are seriously worried about that data "theft" result in legal action, or something something similar.

Well, we're referring to different things. ganjadude and I were talking about effectively "taking" company data, and how useful mobile management tools are at preventing that, so I was using "backlash" to refer to *companies* having issues with employees that leave.

To your point - users may not have any legal or official room to complain, but that rarely stops people from actually complaining.

Typically the remote management software will work with any connection, so if your wifi hits the internet (mild pedantry - airplane mode disables wifi too, but obviously you could just disable mobile data), and is consequently able to call 'home' to your employer, it'll still be able to perform a remote wipe.

That said, what you describe is functionally no different than simply backing up company documents from your work PC to an external drive, and then leaving with that information. Or, even lower tech, ju

what you describe is functionally no different than simply backing up company documents from your work PC to an external drive, and then leaving with that information. Or, even lower tech, just taking physical documents with you when you leave.

An employer can lawfully withhold amounts from an employee’s wages only: (1) when required or empowered to do so by state or federal law, or (2) when a deduction is expressly authorized in writing by the employee to cover insurance premiums, benefit plan contributions or other deductions not amounting to a rebate on the employee’s wages, or (3) when a deduction to cover health, welfare, or pension contributions is expressly authorized by a wage or collective bargaining agreement.Some common payroll deductions often made by employers that are unlawful include:...
Gratuities. An employer cannot collect, take, or receive any gratuity or part thereof given or left for an employee, or deduct any amount from wages due an employee on account of a gratuity given or left for an employee.
Bond. If an employer requires a bond of an applicant or employee, the employer must pay the cost of the bond.
Uniforms. If an employer requires that an employee wear a uniform, the employer must pay the cost of the uniform.Business Expenses. An employee is entitled to be reimbursed by his or her employer for all expenses or losses incurred in the direct consequence of the discharge of the employee’s work duties.....

.......
Q. If I break or damage company property or lose company money while performing my job, can my employer deduct the cost/loss from my wages?
A. No, your employer cannot legally make such a deduction from your wages if, by reason of mistake or accident a cash shortage, breakage, or loss of company property/equipment occurs. ..
Labor Code Section 224 clearly prohibits any deduction from an employee’s wages which is not either authorized by the employee in writing or permitted by law, and any employer who resorts to self-help does so at its own risk

You presume that most companies give a crap about the law. Instead lawyers are hired and loopholes are discovered. You just quoted "...authorized by the employee in writing...". I guarantee that this provision is included within the employee handbook and a signature from the employee to agree to such provisions is almost always a condition of employment.

I know first hand of people who have been required to procure their own uniform at their own cost. Sometimes the employers just don't give a flyin' flip